The findings are part of the 2012 Information Security Breaches Survey, conducted with more than 400 organisations across the UK. The research has been written by business advisers PwC in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills.  

 

Key findings include:

Some 75% of large organisations and 61% of small businesses allow staff to use smart phones and tablets to connect to their corporate systems. Yet only 39% – and a quarter of smaller firms – apply data encryption on the devices.  

 

A substantial 82% of large organisations (and 45% of small businesses) reported security breaches caused by staff and 47% (20% of small businesses) lost or leaked confidential information.

 

Personalisation is creating new security threats from both malicious software and data loss, the survey shows.  

Stuart Marshall, data security expert at PwC in Milton Keynes, said: “With the explosion of new mobile devices and the blurring of lines between work and personal life, organisations are opening their systems up to massive risk. Smart phones and tablet computers are often lost or stolen, with any data on them exposed.” 

More than half of small businesses and 38% of large ones do not have a programme for educating staff about security risks.  Only one in four respondents with a security policy believe their staff have a very good understanding of it.

Those that have invested in staff awareness training are reaping the benefits – they are four times as likely to have staff who clearly understand the security policy and half as likely to have staff-related security breaches as organisations that don’t train their staff.

Mr Marshall said: “Staff need to know what risks to look out for, how to handle data appropriately and what to do if a breach occurs.  Security breaches by staff are often the result of a lack of education about the risks involved and organisations could do more to address this.”

The survey suggests that with their increasing dependence on social networking sites, organisations are targets.  Half of the organisations surveyed say they think social networking sites are important to their business, up from only a third two years ago.   Yet, controls are not keeping pace.